Two years ago this summer in July 2014, volunteer and staff leaders affiliated with the Ann Arbor, Michigan-based College of Healthcare Information Management Executives (CHIME), seeing the need for a nationwide organization to support chief information security officers (CISO) in healthcare, created AEHIS, the Association for Executives in Health Information Security. In fact, AEHIS was one of three associations created under the CHIME umbrella; the other two, created in October of 2014, were AEHIT, the Association for Executives in Healthcare Information Technology (for CTOs), and AEHIA, the Association for Executives in Healthcare Information Applications (for chief applications officers).
Among the key players in the creation and management of AEHIS has been George McCulloch. McCulloch, who served as deputy CIO at Vanderbilt University Health for 12 years, and who had also served on the board of directors of CHIME, helped to create AEHIS, as CHIME’s executive vice president for membership and professional development, and continues to help manage it. The Nashville-based McCulloch spoke recently with Healthcare Informatics Editor-in-Chief Mark Hagland regarding AEHIS and its forward evolution. Below are excerpts from that interview.
What are the purpose and focus for AEHIS?
AEHIS was created in order to create a community for healthcare information security leaders. There are a lot of resources out there for general security leaders [in other industries and trans-industry], but healthcare has its own challenges that are unique to us. And there was not a healthcare-specific group that we could find. Our mission is to provide services to those leaders in healthcare security, not only to help their organizations, but to help them personally. They are now front and center in a lot of activities. And like most leaders, they probably came up from a technical background, but are now reporting to the CIO, presenting to the board, etc. So to provide a community to help them, and secondarily, to help them develop leadership skills.
How many members do you have at this moment, in AEHIS?
We have over 500 at this time.
Are they mostly working in hospital systems, and mostly working in large hospital systems?
No, actually, they’re working in every size of organization. The way things are arranged is that if you’re a CHIME member, you can join any or all of those three associations [AEHIS, AEHIT, AEHIA]. In small hospitals, CIOs are also the CISOs for their organizations. We’ve got very large hospitals represented in AEHIS, and very small ones as well.
Are there any healthcare IT security leaders from medical groups, as well?
We have a few, but it’s primarily inpatient groups.
As we all know, the data security threats to patient care organizations in the U.S. have recently been accelerating dramatically. I’m sure people are excited by what you have to offer at AEHIS.
We’re very pleased by what’s been developed. Among other things, we’ve been able to submit four or five comments on legislation at the federal level. And we’ve done some regulatory comments, some congressional comments. We just commented on an FDA proposal. Marc Probst [CIO at the Salt Lake City-based Intermountain Healthcare], our chair, did testimony on whom the CISO at HHS [the federal Department of Health and Human Services] should report to. So we’ve spent a lot of time on the legislative and regulatory side. And everybody’s concerned about ransomware. So it’s been a busy year and a half.
What are your members saying are their top few issues these days?
The biggest issue that they see is that the threats are everywhere, and it’s split between bad actors on the outside, but also education of end-users as well, because a lot of things happen because of things people shouldn’t be doing. The biggest challenge they have is in getting the resources that are needed to protect the organization. At a time when we’re looking at cost and quality, this is another cost of doing business that is not at all inexpensive. And finding qualified people is a part of that expense, and challenge. So they’re asking, how do I get the resources that my organization needs, and look at the IT risks, and fold those into other risks, and find appropriate funding for what I’m being asked to do?
How do you see the evolution of the CISO role, going forward? About 25 years ago, people were still trying to sort out what the core components of the CIO role.
I agree with you; it’s turning out to be similar to the evolution of the CIO role. I’m a recovering CIO myself. I was in the industry for 30 years, and it’s very similar. And our organization is made up of people who are the top person in security in their organizations. There’s a lot of technology involved to protect the organization. And they really need to create a program around security, and really go beyond the technical components. And just as the CIO has a number of critical relationships with the CMIO, CNIO, CMO, CNO, CEO, COO of their organization, the CISO has relationships with the privacy area, finance, operations, legal, and so on. Those are all critical relationships that they need.
The CISO can’t sit in a room and manage the security program of their organization. We’re also finding that they’re working very closely with risk managers. Security risk is only one of a number of risk areas. So in order to not create another silo, they end up becoming relationship managers, in addition to making sure that they have the resources and technical skills on their team, to make sure they can do what needs to be done.
Do you see a number of people coming into the CISO role from outside of healthcare?
Oh, absolutely. We’re not growing our own fast enough. The highest percentages I’ve seen are coming from military and banking, and then other industries, probably in that order.
And the non-healthcare people are more questioning, and are sometimes bringing fresh eyes to these processes—and that’s good, right?
Yes, and they’re coming in from industries that spend a higher percentage of their revenues on security. So they bring some credibility and background. So they say, we need to do these things, and I’ve done these before, so give me the money that I need to accomplish this. So they bring in some credibility that an inside person might not have. They can say how much they spent on things and why. And there are certainly healthcare things. We do an event every fall, this will be our second one, and I just got off the phone with a CISO who came in from manufacturing. And he said, I’ve been here eight months, and about 80 percent of what I need to do, I’ve done before. But I’ve never dealt with HIPAA or medical devices, and about 20 percent, I’ve got to learn anew. So there’s still a chunk there that they have to learn as they come into healthcare.
What do you think will happen in the next two years, in general?
I think that organizations will find the money to increase their security presence. I think that boards are starting to see that this is the cost of doing business, and that we need to up our game here. I don’t want to see my name in the paper, I don’t want to be a MedStar or a Hollywood Presbyterian. So that’s going to happen. I don’t think we’ll see much of a change of the reporting relationship of the CISO reporting to the CIO.
Do you have any thoughts on that?
I think form follows function—organizations should do whatever works. And I think that certainly, the CIO is intimately involved, so it’s got to be a partnership. Maybe it’s just as how the CMIO role has evolved, where the CMIO and CIO are each other’s best friends. So that may evolve. And I see more and more organizations putting security as another risk factor. They deal with clinical risk, and with financial risk. And security risk is another flavor, but not different enough that they shouldn’t use the processes to pull all those people under a risk framework, to make things work.